'self' xss reported in a question's moderate

2013-09-02T07:10:03
ID ATLASSIAN:CONFSERVER-47423
Type atlassian
Reporter dblack
Modified 2017-04-02T09:06:55

Description

{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47423]. {panel}

We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com.

{quote} 1) DOM XSS

Go to https://answers.atlassian.com/ Prepare an question ,after savin it go to the question ,there is an option of "Moderate" ,click it ,there is an option to "Create bounty" select that , and in the input box which appears enter '"><iframe/onload=prompt(document.cookie);> and press ok and alert will come immediately !!

{quote}

This issue would require some social engineering exploit through perhaps clickjacking and tricking a user into XSS'ing themselves on answers.atlassian.com.